In March 2012, we intercepted an IRS themed malicious campaign that was serving client-side exploits to prospective victims in an attempt to drop malware on the affected hosts.

This week, we intercepted three consecutive campaigns using the exact same email template used in the March campaign. What has changed? Are the cybercriminals behind these campaigns relying on any new tactics, or are they basically sticking to well proven techniques to infect tens of thousands of socially engineered users?

Let’s find out.

More details:

Sample screenshot of the spamvertised email:

Unlike March 2012’s campaign that used client-side exploits in an attempt to drop malware on the affected host, the last three campaigns have relied on malicious archives attached to spamvertised emails. Each has a unique MD5 and phones back to a different (compromised) command and control server.

The first sample: MD5: f56026fcc9ac2daad210da82d92f57a3 – detected by 36 out of 44 antivirus scanners as Worm:Win32/Cridex.E phones back to 210.56.23.100:8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan).

The second sample: MD5: 53c4f27ce39fa8b9330c3faff85e4917 – detected by 35 out of 44 antivirus scanners as Worm:Win32/Cridex.E phones back to 128.2.172.202:8080/Ajtw/UCygrDAA/Ud+asDAA (AS9, Carnegie Mellon University Backbone AS).

We also have another: MD5: 532bdd2565cae7b84cb26e4cf02f42a0 – detected by 33 out of 44 antivirus scanners as Worm:Win32/Cridex.E that is known to have phoned back to the same IP, 128.2.172.202:8080/37ugtbaaaaa/enmtzaaaaa/pxos/

The following MD5s are also known to have phoned back to this very same IP:

The third sample used in the IRS themed campaign: MD5: 32b4227ae379f98c1581f5cb2b184412 – detected by 36 out of 44 antivirus scanners as Worm:Win32/Cridex.E phones back to 202.143.189.180:8080/Ajtw/UCygrDAA/Ud+asDAA (AS23974, Ministry of education, Thailand).